================================================================== BUG: KASAN: use-after-free in __lock_acquire+0x3f13/0x57d0 kernel/locking/lockdep.c:4702 Read of size 8 at addr ffff888011a84320 by task syz-executor.5/8808 CPU: 0 PID: 8808 Comm: syz-executor.5 Not tainted 5.11.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x9a/0xcc lib/dump_stack.c:120 print_address_description.constprop.0.cold+0x5b/0x2f8 mm/kasan/report.c:230 __kasan_report mm/kasan/report.c:396 [inline] kasan_report.cold+0x79/0xd5 mm/kasan/report.c:413 __lock_acquire+0x3f13/0x57d0 kernel/locking/lockdep.c:4702 lock_acquire kernel/locking/lockdep.c:5442 [inline] lock_acquire+0x1a8/0x720 kernel/locking/lockdep.c:5407 __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:151 spin_lock include/linux/spinlock.h:354 [inline] chroot_fs_refs+0x104/0x5c0 fs/fs_struct.c:70 __do_sys_pivot_root+0xd6f/0x1990 fs/namespace.c:3774 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x466459 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:0000000000a9ffa8 EFLAGS: 00000246 ORIG_RAX: 000000000000009b RAX: ffffffffffffffda RBX: 0000000001d5a3bc RCX: 0000000000466459 RDX: 0000000000465567 RSI: 00000000004bfcfb RDI: 00000000004bfbb1 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000001 R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffd11bb7288 R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000400538 Allocated by task 8793: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38 kasan_set_track mm/kasan/common.c:46 [inline] set_alloc_info mm/kasan/common.c:401 [inline] ____kasan_kmalloc.constprop.0+0x82/0xa0 mm/kasan/common.c:429 kasan_slab_alloc include/linux/kasan.h:209 [inline] slab_post_alloc_hook mm/slab.h:512 [inline] slab_alloc_node mm/slub.c:2892 [inline] slab_alloc mm/slub.c:2900 [inline] kmem_cache_alloc+0x1c6/0x440 mm/slub.c:2905 copy_fs_struct+0x3e/0x320 fs/fs_struct.c:114 copy_fs kernel/fork.c:1443 [inline] copy_process+0x4645/0x6770 kernel/fork.c:2088 kernel_clone+0xb8/0x7f0 kernel/fork.c:2462 __do_sys_clone+0xaf/0xf0 kernel/fork.c:2579 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Freed by task 10126: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38 kasan_set_track+0x1c/0x30 mm/kasan/common.c:46 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:356 ____kasan_slab_free+0xe1/0x110 mm/kasan/common.c:362 kasan_slab_free include/linux/kasan.h:192 [inline] slab_free_hook mm/slub.c:1547 [inline] slab_free_freelist_hook+0x5d/0x150 mm/slub.c:1580 slab_free mm/slub.c:3143 [inline] kmem_cache_free+0x82/0x350 mm/slub.c:3159 do_exit+0xa63/0x2570 kernel/exit.c:821 do_group_exit+0xe7/0x290 kernel/exit.c:922 get_signal+0x36c/0x1c30 kernel/signal.c:2773 arch_do_signal_or_restart+0x2a8/0x1eb0 arch/x86/kernel/signal.c:811 handle_signal_work kernel/entry/common.c:147 [inline] exit_to_user_mode_loop kernel/entry/common.c:171 [inline] exit_to_user_mode_prepare+0x148/0x250 kernel/entry/common.c:201 __syscall_exit_to_user_mode_work kernel/entry/common.c:291 [inline] syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:302 entry_SYSCALL_64_after_hwframe+0x44/0xa9 The buggy address belongs to the object at ffff888011a84300 which belongs to the cache fs_cache of size 168 The buggy address is located 32 bytes inside of 168-byte region [ffff888011a84300, ffff888011a843a8) The buggy address belongs to the page: page:000000002611c054 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11a84 flags: 0xfff00000000200(slab) raw: 00fff00000000200 ffffea0000424a40 0000000600000006 ffff88800f5bb500 raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888011a84200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888011a84280: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc >ffff888011a84300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888011a84380: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc ffff888011a84400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================